rxkad.c 35 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /* Kerberos-based RxRPC security
  3. *
  4. * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
  5. * Written by David Howells (dhowells@redhat.com)
  6. */
  7. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  8. #include <crypto/skcipher.h>
  9. #include <linux/module.h>
  10. #include <linux/net.h>
  11. #include <linux/skbuff.h>
  12. #include <linux/udp.h>
  13. #include <linux/scatterlist.h>
  14. #include <linux/ctype.h>
  15. #include <linux/slab.h>
  16. #include <linux/key-type.h>
  17. #include <net/sock.h>
  18. #include <net/af_rxrpc.h>
  19. #include <keys/rxrpc-type.h>
  20. #include "ar-internal.h"
  21. #define RXKAD_VERSION 2
  22. #define MAXKRB5TICKETLEN 1024
  23. #define RXKAD_TKT_TYPE_KERBEROS_V5 256
  24. #define ANAME_SZ 40 /* size of authentication name */
  25. #define INST_SZ 40 /* size of principal's instance */
  26. #define REALM_SZ 40 /* size of principal's auth domain */
  27. #define SNAME_SZ 40 /* size of service name */
  28. #define RXKAD_ALIGN 8
  29. struct rxkad_level1_hdr {
  30. __be32 data_size; /* true data size (excluding padding) */
  31. };
  32. struct rxkad_level2_hdr {
  33. __be32 data_size; /* true data size (excluding padding) */
  34. __be32 checksum; /* decrypted data checksum */
  35. };
  36. static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
  37. struct crypto_sync_skcipher *ci);
  38. /*
  39. * this holds a pinned cipher so that keventd doesn't get called by the cipher
  40. * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  41. * packets
  42. */
  43. static struct crypto_sync_skcipher *rxkad_ci;
  44. static struct skcipher_request *rxkad_ci_req;
  45. static DEFINE_MUTEX(rxkad_ci_mutex);
  46. /*
  47. * Parse the information from a server key
  48. *
  49. * The data should be the 8-byte secret key.
  50. */
  51. static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
  52. {
  53. struct crypto_skcipher *ci;
  54. if (prep->datalen != 8)
  55. return -EINVAL;
  56. memcpy(&prep->payload.data[2], prep->data, 8);
  57. ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
  58. if (IS_ERR(ci)) {
  59. _leave(" = %ld", PTR_ERR(ci));
  60. return PTR_ERR(ci);
  61. }
  62. if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
  63. BUG();
  64. prep->payload.data[0] = ci;
  65. _leave(" = 0");
  66. return 0;
  67. }
  68. static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
  69. {
  70. if (prep->payload.data[0])
  71. crypto_free_skcipher(prep->payload.data[0]);
  72. }
  73. static void rxkad_destroy_server_key(struct key *key)
  74. {
  75. if (key->payload.data[0]) {
  76. crypto_free_skcipher(key->payload.data[0]);
  77. key->payload.data[0] = NULL;
  78. }
  79. }
  80. /*
  81. * initialise connection security
  82. */
  83. static int rxkad_init_connection_security(struct rxrpc_connection *conn,
  84. struct rxrpc_key_token *token)
  85. {
  86. struct crypto_sync_skcipher *ci;
  87. int ret;
  88. _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
  89. conn->security_ix = token->security_index;
  90. ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
  91. if (IS_ERR(ci)) {
  92. _debug("no cipher");
  93. ret = PTR_ERR(ci);
  94. goto error;
  95. }
  96. if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
  97. sizeof(token->kad->session_key)) < 0)
  98. BUG();
  99. switch (conn->security_level) {
  100. case RXRPC_SECURITY_PLAIN:
  101. case RXRPC_SECURITY_AUTH:
  102. case RXRPC_SECURITY_ENCRYPT:
  103. break;
  104. default:
  105. ret = -EKEYREJECTED;
  106. goto error;
  107. }
  108. ret = rxkad_prime_packet_security(conn, ci);
  109. if (ret < 0)
  110. goto error_ci;
  111. conn->rxkad.cipher = ci;
  112. return 0;
  113. error_ci:
  114. crypto_free_sync_skcipher(ci);
  115. error:
  116. _leave(" = %d", ret);
  117. return ret;
  118. }
  119. /*
  120. * Work out how much data we can put in a packet.
  121. */
  122. static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp)
  123. {
  124. struct rxrpc_txbuf *txb;
  125. size_t shdr, alloc, limit, part;
  126. remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header));
  127. switch (call->conn->security_level) {
  128. default:
  129. alloc = umin(remain, RXRPC_JUMBO_DATALEN);
  130. return rxrpc_alloc_data_txbuf(call, alloc, 1, gfp);
  131. case RXRPC_SECURITY_AUTH:
  132. shdr = sizeof(struct rxkad_level1_hdr);
  133. break;
  134. case RXRPC_SECURITY_ENCRYPT:
  135. shdr = sizeof(struct rxkad_level2_hdr);
  136. break;
  137. }
  138. limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr;
  139. if (remain < limit) {
  140. part = remain;
  141. alloc = round_up(shdr + part, RXKAD_ALIGN);
  142. } else {
  143. part = limit;
  144. alloc = RXRPC_JUMBO_DATALEN;
  145. }
  146. txb = rxrpc_alloc_data_txbuf(call, alloc, RXKAD_ALIGN, gfp);
  147. if (!txb)
  148. return NULL;
  149. txb->crypto_header = 0;
  150. txb->sec_header = shdr;
  151. txb->offset += shdr;
  152. txb->space = part;
  153. return txb;
  154. }
  155. /*
  156. * prime the encryption state with the invariant parts of a connection's
  157. * description
  158. */
  159. static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
  160. struct crypto_sync_skcipher *ci)
  161. {
  162. struct skcipher_request *req;
  163. struct rxrpc_key_token *token;
  164. struct scatterlist sg;
  165. struct rxrpc_crypt iv;
  166. __be32 *tmpbuf;
  167. size_t tmpsize = 4 * sizeof(__be32);
  168. int ret;
  169. _enter("");
  170. if (!conn->key)
  171. return 0;
  172. tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
  173. if (!tmpbuf)
  174. return -ENOMEM;
  175. req = skcipher_request_alloc(&ci->base, GFP_NOFS);
  176. if (!req) {
  177. kfree(tmpbuf);
  178. return -ENOMEM;
  179. }
  180. token = conn->key->payload.data[0];
  181. memcpy(&iv, token->kad->session_key, sizeof(iv));
  182. tmpbuf[0] = htonl(conn->proto.epoch);
  183. tmpbuf[1] = htonl(conn->proto.cid);
  184. tmpbuf[2] = 0;
  185. tmpbuf[3] = htonl(conn->security_ix);
  186. sg_init_one(&sg, tmpbuf, tmpsize);
  187. skcipher_request_set_sync_tfm(req, ci);
  188. skcipher_request_set_callback(req, 0, NULL, NULL);
  189. skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
  190. ret = crypto_skcipher_encrypt(req);
  191. skcipher_request_free(req);
  192. memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
  193. kfree(tmpbuf);
  194. _leave(" = %d", ret);
  195. return ret;
  196. }
  197. /*
  198. * Allocate and prepare the crypto request on a call. For any particular call,
  199. * this is called serially for the packets, so no lock should be necessary.
  200. */
  201. static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
  202. {
  203. struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
  204. return skcipher_request_alloc(tfm, GFP_NOFS);
  205. }
  206. /*
  207. * Clean up the crypto on a call.
  208. */
  209. static void rxkad_free_call_crypto(struct rxrpc_call *call)
  210. {
  211. }
  212. /*
  213. * partially encrypt a packet (level 1 security)
  214. */
  215. static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
  216. struct rxrpc_txbuf *txb,
  217. struct skcipher_request *req)
  218. {
  219. struct rxkad_level1_hdr *hdr = txb->data;
  220. struct rxrpc_crypt iv;
  221. struct scatterlist sg;
  222. size_t pad;
  223. u16 check;
  224. int ret;
  225. _enter("");
  226. check = txb->seq ^ call->call_id;
  227. hdr->data_size = htonl((u32)check << 16 | txb->len);
  228. txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len;
  229. pad = txb->pkt_len;
  230. pad = RXKAD_ALIGN - pad;
  231. pad &= RXKAD_ALIGN - 1;
  232. if (pad) {
  233. memset(txb->data + txb->offset, 0, pad);
  234. txb->pkt_len += pad;
  235. }
  236. /* start the encryption afresh */
  237. memset(&iv, 0, sizeof(iv));
  238. sg_init_one(&sg, hdr, 8);
  239. skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
  240. skcipher_request_set_callback(req, 0, NULL, NULL);
  241. skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
  242. ret = crypto_skcipher_encrypt(req);
  243. skcipher_request_zero(req);
  244. _leave(" = %d", ret);
  245. return ret;
  246. }
  247. /*
  248. * wholly encrypt a packet (level 2 security)
  249. */
  250. static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
  251. struct rxrpc_txbuf *txb,
  252. struct skcipher_request *req)
  253. {
  254. const struct rxrpc_key_token *token;
  255. struct rxkad_level2_hdr *rxkhdr = txb->data;
  256. struct rxrpc_crypt iv;
  257. struct scatterlist sg;
  258. size_t content, pad;
  259. u16 check;
  260. int ret;
  261. _enter("");
  262. check = txb->seq ^ call->call_id;
  263. rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
  264. rxkhdr->checksum = 0;
  265. content = sizeof(struct rxkad_level2_hdr) + txb->len;
  266. txb->pkt_len = round_up(content, RXKAD_ALIGN);
  267. pad = txb->pkt_len - content;
  268. if (pad)
  269. memset(txb->data + txb->offset, 0, pad);
  270. /* encrypt from the session key */
  271. token = call->conn->key->payload.data[0];
  272. memcpy(&iv, token->kad->session_key, sizeof(iv));
  273. sg_init_one(&sg, rxkhdr, txb->pkt_len);
  274. skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
  275. skcipher_request_set_callback(req, 0, NULL, NULL);
  276. skcipher_request_set_crypt(req, &sg, &sg, txb->pkt_len, iv.x);
  277. ret = crypto_skcipher_encrypt(req);
  278. skcipher_request_zero(req);
  279. return ret;
  280. }
  281. /*
  282. * checksum an RxRPC packet header
  283. */
  284. static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
  285. {
  286. struct skcipher_request *req;
  287. struct rxrpc_crypt iv;
  288. struct scatterlist sg;
  289. union {
  290. __be32 buf[2];
  291. } crypto __aligned(8);
  292. u32 x, y = 0;
  293. int ret;
  294. _enter("{%d{%x}},{#%u},%u,",
  295. call->debug_id, key_serial(call->conn->key),
  296. txb->seq, txb->len);
  297. if (!call->conn->rxkad.cipher)
  298. return 0;
  299. ret = key_validate(call->conn->key);
  300. if (ret < 0)
  301. return ret;
  302. req = rxkad_get_call_crypto(call);
  303. if (!req)
  304. return -ENOMEM;
  305. /* continue encrypting from where we left off */
  306. memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
  307. /* calculate the security checksum */
  308. x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
  309. x |= txb->seq & 0x3fffffff;
  310. crypto.buf[0] = htonl(call->call_id);
  311. crypto.buf[1] = htonl(x);
  312. sg_init_one(&sg, crypto.buf, 8);
  313. skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
  314. skcipher_request_set_callback(req, 0, NULL, NULL);
  315. skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
  316. ret = crypto_skcipher_encrypt(req);
  317. skcipher_request_zero(req);
  318. if (ret < 0)
  319. goto out;
  320. y = ntohl(crypto.buf[1]);
  321. y = (y >> 16) & 0xffff;
  322. if (y == 0)
  323. y = 1; /* zero checksums are not permitted */
  324. txb->cksum = htons(y);
  325. switch (call->conn->security_level) {
  326. case RXRPC_SECURITY_PLAIN:
  327. txb->pkt_len = txb->len;
  328. ret = 0;
  329. break;
  330. case RXRPC_SECURITY_AUTH:
  331. ret = rxkad_secure_packet_auth(call, txb, req);
  332. if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
  333. txb->jumboable = true;
  334. break;
  335. case RXRPC_SECURITY_ENCRYPT:
  336. ret = rxkad_secure_packet_encrypt(call, txb, req);
  337. if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
  338. txb->jumboable = true;
  339. break;
  340. default:
  341. ret = -EPERM;
  342. break;
  343. }
  344. /* Clear excess space in the packet */
  345. if (txb->pkt_len < txb->alloc_size) {
  346. size_t gap = txb->alloc_size - txb->pkt_len;
  347. void *p = txb->data;
  348. memset(p + txb->pkt_len, 0, gap);
  349. }
  350. out:
  351. skcipher_request_free(req);
  352. _leave(" = %d [set %x]", ret, y);
  353. return ret;
  354. }
  355. /*
  356. * decrypt partial encryption on a packet (level 1 security)
  357. */
  358. static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
  359. rxrpc_seq_t seq,
  360. struct skcipher_request *req)
  361. {
  362. struct rxkad_level1_hdr sechdr;
  363. struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
  364. struct rxrpc_crypt iv;
  365. struct scatterlist sg[16];
  366. u32 data_size, buf;
  367. u16 check;
  368. int ret;
  369. _enter("");
  370. if (sp->len < 8)
  371. return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
  372. rxkad_abort_1_short_header);
  373. /* Decrypt the skbuff in-place. TODO: We really want to decrypt
  374. * directly into the target buffer.
  375. */
  376. sg_init_table(sg, ARRAY_SIZE(sg));
  377. ret = skb_to_sgvec(skb, sg, sp->offset, 8);
  378. if (unlikely(ret < 0))
  379. return ret;
  380. /* start the decryption afresh */
  381. memset(&iv, 0, sizeof(iv));
  382. skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
  383. skcipher_request_set_callback(req, 0, NULL, NULL);
  384. skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
  385. ret = crypto_skcipher_decrypt(req);
  386. skcipher_request_zero(req);
  387. if (ret < 0)
  388. return ret;
  389. /* Extract the decrypted packet length */
  390. if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
  391. return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
  392. rxkad_abort_1_short_encdata);
  393. sp->offset += sizeof(sechdr);
  394. sp->len -= sizeof(sechdr);
  395. buf = ntohl(sechdr.data_size);
  396. data_size = buf & 0xffff;
  397. check = buf >> 16;
  398. check ^= seq ^ call->call_id;
  399. check &= 0xffff;
  400. if (check != 0)
  401. return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
  402. rxkad_abort_1_short_check);
  403. if (data_size > sp->len)
  404. return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
  405. rxkad_abort_1_short_data);
  406. sp->len = data_size;
  407. _leave(" = 0 [dlen=%x]", data_size);
  408. return 0;
  409. }
  410. /*
  411. * wholly decrypt a packet (level 2 security)
  412. */
  413. static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
  414. rxrpc_seq_t seq,
  415. struct skcipher_request *req)
  416. {
  417. const struct rxrpc_key_token *token;
  418. struct rxkad_level2_hdr sechdr;
  419. struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
  420. struct rxrpc_crypt iv;
  421. struct scatterlist _sg[4], *sg;
  422. u32 data_size, buf;
  423. u16 check;
  424. int nsg, ret;
  425. _enter(",{%d}", sp->len);
  426. if (sp->len < 8)
  427. return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
  428. rxkad_abort_2_short_header);
  429. /* Decrypt the skbuff in-place. TODO: We really want to decrypt
  430. * directly into the target buffer.
  431. */
  432. sg = _sg;
  433. nsg = skb_shinfo(skb)->nr_frags + 1;
  434. if (nsg <= 4) {
  435. nsg = 4;
  436. } else {
  437. sg = kmalloc_objs(*sg, nsg, GFP_NOIO);
  438. if (!sg)
  439. return -ENOMEM;
  440. }
  441. sg_init_table(sg, nsg);
  442. ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
  443. if (unlikely(ret < 0)) {
  444. if (sg != _sg)
  445. kfree(sg);
  446. return ret;
  447. }
  448. /* decrypt from the session key */
  449. token = call->conn->key->payload.data[0];
  450. memcpy(&iv, token->kad->session_key, sizeof(iv));
  451. skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
  452. skcipher_request_set_callback(req, 0, NULL, NULL);
  453. skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
  454. ret = crypto_skcipher_decrypt(req);
  455. skcipher_request_zero(req);
  456. if (sg != _sg)
  457. kfree(sg);
  458. if (ret < 0) {
  459. WARN_ON_ONCE(ret != -ENOMEM);
  460. return ret;
  461. }
  462. /* Extract the decrypted packet length */
  463. if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
  464. return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
  465. rxkad_abort_2_short_len);
  466. sp->offset += sizeof(sechdr);
  467. sp->len -= sizeof(sechdr);
  468. buf = ntohl(sechdr.data_size);
  469. data_size = buf & 0xffff;
  470. check = buf >> 16;
  471. check ^= seq ^ call->call_id;
  472. check &= 0xffff;
  473. if (check != 0)
  474. return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
  475. rxkad_abort_2_short_check);
  476. if (data_size > sp->len)
  477. return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
  478. rxkad_abort_2_short_data);
  479. sp->len = data_size;
  480. _leave(" = 0 [dlen=%x]", data_size);
  481. return 0;
  482. }
  483. /*
  484. * Verify the security on a received packet and the subpackets therein.
  485. */
  486. static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
  487. {
  488. struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
  489. struct skcipher_request *req;
  490. struct rxrpc_crypt iv;
  491. struct scatterlist sg;
  492. union {
  493. __be32 buf[2];
  494. } crypto __aligned(8);
  495. rxrpc_seq_t seq = sp->hdr.seq;
  496. int ret;
  497. u16 cksum;
  498. u32 x, y;
  499. _enter("{%d{%x}},{#%u}",
  500. call->debug_id, key_serial(call->conn->key), seq);
  501. if (!call->conn->rxkad.cipher)
  502. return 0;
  503. req = rxkad_get_call_crypto(call);
  504. if (!req)
  505. return -ENOMEM;
  506. /* continue encrypting from where we left off */
  507. memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
  508. /* validate the security checksum */
  509. x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
  510. x |= seq & 0x3fffffff;
  511. crypto.buf[0] = htonl(call->call_id);
  512. crypto.buf[1] = htonl(x);
  513. sg_init_one(&sg, crypto.buf, 8);
  514. skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
  515. skcipher_request_set_callback(req, 0, NULL, NULL);
  516. skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
  517. ret = crypto_skcipher_encrypt(req);
  518. skcipher_request_zero(req);
  519. if (ret < 0)
  520. goto out;
  521. y = ntohl(crypto.buf[1]);
  522. cksum = (y >> 16) & 0xffff;
  523. if (cksum == 0)
  524. cksum = 1; /* zero checksums are not permitted */
  525. if (cksum != sp->hdr.cksum) {
  526. ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
  527. rxkad_abort_bad_checksum);
  528. goto out;
  529. }
  530. switch (call->conn->security_level) {
  531. case RXRPC_SECURITY_PLAIN:
  532. ret = 0;
  533. break;
  534. case RXRPC_SECURITY_AUTH:
  535. ret = rxkad_verify_packet_1(call, skb, seq, req);
  536. break;
  537. case RXRPC_SECURITY_ENCRYPT:
  538. ret = rxkad_verify_packet_2(call, skb, seq, req);
  539. break;
  540. default:
  541. ret = -ENOANO;
  542. break;
  543. }
  544. out:
  545. skcipher_request_free(req);
  546. return ret;
  547. }
  548. /*
  549. * issue a challenge
  550. */
  551. static int rxkad_issue_challenge(struct rxrpc_connection *conn)
  552. {
  553. struct rxkad_challenge challenge;
  554. struct rxrpc_wire_header whdr;
  555. struct msghdr msg;
  556. struct kvec iov[2];
  557. size_t len;
  558. u32 serial;
  559. int ret;
  560. _enter("{%d}", conn->debug_id);
  561. get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
  562. challenge.version = htonl(2);
  563. challenge.nonce = htonl(conn->rxkad.nonce);
  564. challenge.min_level = htonl(0);
  565. challenge.__padding = 0;
  566. msg.msg_name = &conn->peer->srx.transport;
  567. msg.msg_namelen = conn->peer->srx.transport_len;
  568. msg.msg_control = NULL;
  569. msg.msg_controllen = 0;
  570. msg.msg_flags = 0;
  571. whdr.epoch = htonl(conn->proto.epoch);
  572. whdr.cid = htonl(conn->proto.cid);
  573. whdr.callNumber = 0;
  574. whdr.seq = 0;
  575. whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
  576. whdr.flags = conn->out_clientflag;
  577. whdr.userStatus = 0;
  578. whdr.securityIndex = conn->security_ix;
  579. whdr._rsvd = 0;
  580. whdr.serviceId = htons(conn->service_id);
  581. iov[0].iov_base = &whdr;
  582. iov[0].iov_len = sizeof(whdr);
  583. iov[1].iov_base = &challenge;
  584. iov[1].iov_len = sizeof(challenge);
  585. len = iov[0].iov_len + iov[1].iov_len;
  586. serial = rxrpc_get_next_serial(conn);
  587. whdr.serial = htonl(serial);
  588. trace_rxrpc_tx_challenge(conn, serial, 0, conn->rxkad.nonce);
  589. ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
  590. if (ret < 0) {
  591. trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
  592. rxrpc_tx_point_rxkad_challenge);
  593. return -EAGAIN;
  594. }
  595. rxrpc_peer_mark_tx(conn->peer);
  596. trace_rxrpc_tx_packet(conn->debug_id, &whdr,
  597. rxrpc_tx_point_rxkad_challenge);
  598. _leave(" = 0");
  599. return 0;
  600. }
  601. /*
  602. * calculate the response checksum
  603. */
  604. static void rxkad_calc_response_checksum(struct rxkad_response *response)
  605. {
  606. u32 csum = 1000003;
  607. int loop;
  608. u8 *p = (u8 *) response;
  609. for (loop = sizeof(*response); loop > 0; loop--)
  610. csum = csum * 0x10204081 + *p++;
  611. response->encrypted.checksum = htonl(csum);
  612. }
  613. /*
  614. * encrypt the response packet
  615. */
  616. static int rxkad_encrypt_response(struct rxrpc_connection *conn,
  617. struct sk_buff *response,
  618. const struct rxkad_key *s2)
  619. {
  620. struct skcipher_request *req;
  621. struct rxrpc_crypt iv;
  622. struct scatterlist sg[1];
  623. size_t encsize = sizeof(((struct rxkad_response *)0)->encrypted);
  624. int ret;
  625. sg_init_table(sg, ARRAY_SIZE(sg));
  626. ret = skb_to_sgvec(response, sg,
  627. sizeof(struct rxrpc_wire_header) +
  628. offsetof(struct rxkad_response, encrypted), encsize);
  629. if (ret < 0)
  630. return ret;
  631. req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
  632. if (!req)
  633. return -ENOMEM;
  634. /* continue encrypting from where we left off */
  635. memcpy(&iv, s2->session_key, sizeof(iv));
  636. skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
  637. skcipher_request_set_callback(req, 0, NULL, NULL);
  638. skcipher_request_set_crypt(req, sg, sg, encsize, iv.x);
  639. ret = crypto_skcipher_encrypt(req);
  640. skcipher_request_free(req);
  641. return ret;
  642. }
  643. /*
  644. * Validate a challenge packet.
  645. */
  646. static bool rxkad_validate_challenge(struct rxrpc_connection *conn,
  647. struct sk_buff *skb)
  648. {
  649. struct rxkad_challenge challenge;
  650. struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
  651. u32 version, min_level;
  652. int ret;
  653. _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
  654. if (!conn->key) {
  655. rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
  656. rxkad_abort_chall_no_key);
  657. return false;
  658. }
  659. ret = key_validate(conn->key);
  660. if (ret < 0) {
  661. rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
  662. rxkad_abort_chall_key_expired);
  663. return false;
  664. }
  665. if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
  666. &challenge, sizeof(challenge)) < 0) {
  667. rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
  668. rxkad_abort_chall_short);
  669. return false;
  670. }
  671. version = ntohl(challenge.version);
  672. sp->chall.rxkad_nonce = ntohl(challenge.nonce);
  673. min_level = ntohl(challenge.min_level);
  674. trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version,
  675. sp->chall.rxkad_nonce, min_level);
  676. if (version != RXKAD_VERSION) {
  677. rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
  678. rxkad_abort_chall_version);
  679. return false;
  680. }
  681. if (conn->security_level < min_level) {
  682. rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
  683. rxkad_abort_chall_level);
  684. return false;
  685. }
  686. return true;
  687. }
  688. /*
  689. * Insert the header into the response.
  690. */
  691. static noinline
  692. int rxkad_insert_response_header(struct rxrpc_connection *conn,
  693. const struct rxrpc_key_token *token,
  694. struct sk_buff *challenge,
  695. struct sk_buff *response,
  696. size_t *offset)
  697. {
  698. struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
  699. struct {
  700. struct rxrpc_wire_header whdr;
  701. struct rxkad_response resp;
  702. } h;
  703. int ret;
  704. h.whdr.epoch = htonl(conn->proto.epoch);
  705. h.whdr.cid = htonl(conn->proto.cid);
  706. h.whdr.callNumber = 0;
  707. h.whdr.serial = 0;
  708. h.whdr.seq = 0;
  709. h.whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
  710. h.whdr.flags = conn->out_clientflag;
  711. h.whdr.userStatus = 0;
  712. h.whdr.securityIndex = conn->security_ix;
  713. h.whdr.cksum = 0;
  714. h.whdr.serviceId = htons(conn->service_id);
  715. h.resp.version = htonl(RXKAD_VERSION);
  716. h.resp.__pad = 0;
  717. h.resp.encrypted.epoch = htonl(conn->proto.epoch);
  718. h.resp.encrypted.cid = htonl(conn->proto.cid);
  719. h.resp.encrypted.checksum = 0;
  720. h.resp.encrypted.securityIndex = htonl(conn->security_ix);
  721. h.resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
  722. h.resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
  723. h.resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
  724. h.resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
  725. h.resp.encrypted.inc_nonce = htonl(csp->chall.rxkad_nonce + 1);
  726. h.resp.encrypted.level = htonl(conn->security_level);
  727. h.resp.kvno = htonl(token->kad->kvno);
  728. h.resp.ticket_len = htonl(token->kad->ticket_len);
  729. rxkad_calc_response_checksum(&h.resp);
  730. ret = skb_store_bits(response, *offset, &h, sizeof(h));
  731. *offset += sizeof(h);
  732. return ret;
  733. }
  734. /*
  735. * respond to a challenge packet
  736. */
  737. static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
  738. struct sk_buff *challenge)
  739. {
  740. const struct rxrpc_key_token *token;
  741. struct rxrpc_skb_priv *csp, *rsp;
  742. struct sk_buff *response;
  743. size_t len, offset = 0;
  744. int ret = -EPROTO;
  745. _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
  746. ret = key_validate(conn->key);
  747. if (ret < 0)
  748. return rxrpc_abort_conn(conn, challenge, RXKADEXPIRED, ret,
  749. rxkad_abort_chall_key_expired);
  750. token = conn->key->payload.data[0];
  751. /* build the response packet */
  752. len = sizeof(struct rxrpc_wire_header) +
  753. sizeof(struct rxkad_response) +
  754. token->kad->ticket_len;
  755. response = alloc_skb_with_frags(0, len, 0, &ret, GFP_NOFS);
  756. if (!response)
  757. goto error;
  758. rxrpc_new_skb(response, rxrpc_skb_new_response_rxkad);
  759. response->len = len;
  760. response->data_len = len;
  761. offset = 0;
  762. ret = rxkad_insert_response_header(conn, token, challenge, response,
  763. &offset);
  764. if (ret < 0)
  765. goto error;
  766. ret = rxkad_encrypt_response(conn, response, token->kad);
  767. if (ret < 0)
  768. goto error;
  769. ret = skb_store_bits(response, offset, token->kad->ticket,
  770. token->kad->ticket_len);
  771. if (ret < 0)
  772. goto error;
  773. csp = rxrpc_skb(challenge);
  774. rsp = rxrpc_skb(response);
  775. rsp->resp.len = len;
  776. rsp->resp.challenge_serial = csp->hdr.serial;
  777. rxrpc_post_response(conn, response);
  778. response = NULL;
  779. ret = 0;
  780. error:
  781. rxrpc_free_skb(response, rxrpc_skb_put_response);
  782. return ret;
  783. }
  784. /*
  785. * RxKAD does automatic response only as there's nothing to manage that isn't
  786. * already in the key.
  787. */
  788. static int rxkad_sendmsg_respond_to_challenge(struct sk_buff *challenge,
  789. struct msghdr *msg)
  790. {
  791. return -EINVAL;
  792. }
  793. /**
  794. * rxkad_kernel_respond_to_challenge - Respond to a challenge with appdata
  795. * @challenge: The challenge to respond to
  796. *
  797. * Allow a kernel application to respond to a CHALLENGE.
  798. *
  799. * Return: %0 if successful and a negative error code otherwise.
  800. */
  801. int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge)
  802. {
  803. struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
  804. return rxkad_respond_to_challenge(csp->chall.conn, challenge);
  805. }
  806. EXPORT_SYMBOL(rxkad_kernel_respond_to_challenge);
  807. /*
  808. * decrypt the kerberos IV ticket in the response
  809. */
  810. static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
  811. struct key *server_key,
  812. struct sk_buff *skb,
  813. void *ticket, size_t ticket_len,
  814. struct rxrpc_crypt *_session_key,
  815. time64_t *_expiry)
  816. {
  817. struct skcipher_request *req;
  818. struct rxrpc_crypt iv, key;
  819. struct scatterlist sg[1];
  820. struct in_addr addr;
  821. unsigned int life;
  822. time64_t issue, now;
  823. int ret;
  824. bool little_endian;
  825. u8 *p, *q, *name, *end;
  826. _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
  827. *_expiry = 0;
  828. ASSERT(server_key->payload.data[0] != NULL);
  829. ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
  830. memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
  831. req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
  832. if (!req)
  833. return -ENOMEM;
  834. sg_init_one(&sg[0], ticket, ticket_len);
  835. skcipher_request_set_callback(req, 0, NULL, NULL);
  836. skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
  837. ret = crypto_skcipher_decrypt(req);
  838. skcipher_request_free(req);
  839. if (ret < 0)
  840. return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
  841. rxkad_abort_resp_tkt_short);
  842. p = ticket;
  843. end = p + ticket_len;
  844. #define Z(field, fieldl) \
  845. ({ \
  846. u8 *__str = p; \
  847. q = memchr(p, 0, end - p); \
  848. if (!q || q - p > field##_SZ) \
  849. return rxrpc_abort_conn( \
  850. conn, skb, RXKADBADTICKET, -EPROTO, \
  851. rxkad_abort_resp_tkt_##fieldl); \
  852. for (; p < q; p++) \
  853. if (!isprint(*p)) \
  854. return rxrpc_abort_conn( \
  855. conn, skb, RXKADBADTICKET, -EPROTO, \
  856. rxkad_abort_resp_tkt_##fieldl); \
  857. p++; \
  858. __str; \
  859. })
  860. /* extract the ticket flags */
  861. _debug("KIV FLAGS: %x", *p);
  862. little_endian = *p & 1;
  863. p++;
  864. /* extract the authentication name */
  865. name = Z(ANAME, aname);
  866. _debug("KIV ANAME: %s", name);
  867. /* extract the principal's instance */
  868. name = Z(INST, inst);
  869. _debug("KIV INST : %s", name);
  870. /* extract the principal's authentication domain */
  871. name = Z(REALM, realm);
  872. _debug("KIV REALM: %s", name);
  873. if (end - p < 4 + 8 + 4 + 2)
  874. return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
  875. rxkad_abort_resp_tkt_short);
  876. /* get the IPv4 address of the entity that requested the ticket */
  877. memcpy(&addr, p, sizeof(addr));
  878. p += 4;
  879. _debug("KIV ADDR : %pI4", &addr);
  880. /* get the session key from the ticket */
  881. memcpy(&key, p, sizeof(key));
  882. p += 8;
  883. _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
  884. memcpy(_session_key, &key, sizeof(key));
  885. /* get the ticket's lifetime */
  886. life = *p++ * 5 * 60;
  887. _debug("KIV LIFE : %u", life);
  888. /* get the issue time of the ticket */
  889. if (little_endian) {
  890. __le32 stamp;
  891. memcpy(&stamp, p, 4);
  892. issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
  893. } else {
  894. __be32 stamp;
  895. memcpy(&stamp, p, 4);
  896. issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
  897. }
  898. p += 4;
  899. now = ktime_get_real_seconds();
  900. _debug("KIV ISSUE: %llx [%llx]", issue, now);
  901. /* check the ticket is in date */
  902. if (issue > now)
  903. return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
  904. rxkad_abort_resp_tkt_future);
  905. if (issue < now - life)
  906. return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
  907. rxkad_abort_resp_tkt_expired);
  908. *_expiry = issue + life;
  909. /* get the service name */
  910. name = Z(SNAME, sname);
  911. _debug("KIV SNAME: %s", name);
  912. /* get the service instance name */
  913. name = Z(INST, sinst);
  914. _debug("KIV SINST: %s", name);
  915. return 0;
  916. }
  917. /*
  918. * decrypt the response packet
  919. */
  920. static int rxkad_decrypt_response(struct rxrpc_connection *conn,
  921. struct rxkad_response *resp,
  922. const struct rxrpc_crypt *session_key)
  923. {
  924. struct skcipher_request *req = rxkad_ci_req;
  925. struct scatterlist sg[1];
  926. struct rxrpc_crypt iv;
  927. int ret;
  928. _enter(",,%08x%08x",
  929. ntohl(session_key->n[0]), ntohl(session_key->n[1]));
  930. mutex_lock(&rxkad_ci_mutex);
  931. ret = crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
  932. sizeof(*session_key));
  933. if (ret < 0)
  934. goto unlock;
  935. memcpy(&iv, session_key, sizeof(iv));
  936. sg_init_table(sg, 1);
  937. sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
  938. skcipher_request_set_sync_tfm(req, rxkad_ci);
  939. skcipher_request_set_callback(req, 0, NULL, NULL);
  940. skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
  941. ret = crypto_skcipher_decrypt(req);
  942. skcipher_request_zero(req);
  943. unlock:
  944. mutex_unlock(&rxkad_ci_mutex);
  945. _leave("");
  946. return ret;
  947. }
  948. /*
  949. * verify a response
  950. */
  951. static int rxkad_verify_response(struct rxrpc_connection *conn,
  952. struct sk_buff *skb)
  953. {
  954. struct rxkad_response *response;
  955. struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
  956. struct rxrpc_crypt session_key;
  957. struct key *server_key;
  958. time64_t expiry;
  959. void *ticket;
  960. u32 version, kvno, ticket_len, level;
  961. __be32 csum;
  962. int ret, i;
  963. _enter("{%d}", conn->debug_id);
  964. server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
  965. if (IS_ERR(server_key)) {
  966. ret = PTR_ERR(server_key);
  967. switch (ret) {
  968. case -ENOKEY:
  969. return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
  970. rxkad_abort_resp_nokey);
  971. case -EKEYEXPIRED:
  972. return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
  973. rxkad_abort_resp_key_expired);
  974. default:
  975. return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
  976. rxkad_abort_resp_key_rejected);
  977. }
  978. }
  979. ret = -ENOMEM;
  980. response = kzalloc_obj(struct rxkad_response, GFP_NOFS);
  981. if (!response)
  982. goto temporary_error;
  983. if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
  984. response, sizeof(*response)) < 0) {
  985. rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
  986. rxkad_abort_resp_short);
  987. goto protocol_error;
  988. }
  989. version = ntohl(response->version);
  990. ticket_len = ntohl(response->ticket_len);
  991. kvno = ntohl(response->kvno);
  992. trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
  993. if (version != RXKAD_VERSION) {
  994. rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
  995. rxkad_abort_resp_version);
  996. goto protocol_error;
  997. }
  998. if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
  999. rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
  1000. rxkad_abort_resp_tkt_len);
  1001. goto protocol_error;
  1002. }
  1003. if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
  1004. rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
  1005. rxkad_abort_resp_unknown_tkt);
  1006. goto protocol_error;
  1007. }
  1008. /* extract the kerberos ticket and decrypt and decode it */
  1009. ret = -ENOMEM;
  1010. ticket = kmalloc(ticket_len, GFP_NOFS);
  1011. if (!ticket)
  1012. goto temporary_error_free_resp;
  1013. if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
  1014. ticket, ticket_len) < 0) {
  1015. rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
  1016. rxkad_abort_resp_short_tkt);
  1017. goto protocol_error;
  1018. }
  1019. ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
  1020. &session_key, &expiry);
  1021. if (ret < 0)
  1022. goto temporary_error_free_ticket;
  1023. /* use the session key from inside the ticket to decrypt the
  1024. * response */
  1025. ret = rxkad_decrypt_response(conn, response, &session_key);
  1026. if (ret < 0)
  1027. goto temporary_error_free_ticket;
  1028. if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
  1029. ntohl(response->encrypted.cid) != conn->proto.cid ||
  1030. ntohl(response->encrypted.securityIndex) != conn->security_ix) {
  1031. rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
  1032. rxkad_abort_resp_bad_param);
  1033. goto protocol_error_free;
  1034. }
  1035. csum = response->encrypted.checksum;
  1036. response->encrypted.checksum = 0;
  1037. rxkad_calc_response_checksum(response);
  1038. if (response->encrypted.checksum != csum) {
  1039. rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
  1040. rxkad_abort_resp_bad_checksum);
  1041. goto protocol_error_free;
  1042. }
  1043. for (i = 0; i < RXRPC_MAXCALLS; i++) {
  1044. u32 call_id = ntohl(response->encrypted.call_id[i]);
  1045. u32 counter = READ_ONCE(conn->channels[i].call_counter);
  1046. if (call_id > INT_MAX) {
  1047. rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
  1048. rxkad_abort_resp_bad_callid);
  1049. goto protocol_error_free;
  1050. }
  1051. if (call_id < counter) {
  1052. rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
  1053. rxkad_abort_resp_call_ctr);
  1054. goto protocol_error_free;
  1055. }
  1056. if (call_id > counter) {
  1057. if (conn->channels[i].call) {
  1058. rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
  1059. rxkad_abort_resp_call_state);
  1060. goto protocol_error_free;
  1061. }
  1062. conn->channels[i].call_counter = call_id;
  1063. }
  1064. }
  1065. if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
  1066. rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
  1067. rxkad_abort_resp_ooseq);
  1068. goto protocol_error_free;
  1069. }
  1070. level = ntohl(response->encrypted.level);
  1071. if (level > RXRPC_SECURITY_ENCRYPT) {
  1072. rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
  1073. rxkad_abort_resp_level);
  1074. goto protocol_error_free;
  1075. }
  1076. conn->security_level = level;
  1077. /* create a key to hold the security data and expiration time - after
  1078. * this the connection security can be handled in exactly the same way
  1079. * as for a client connection */
  1080. ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
  1081. if (ret < 0)
  1082. goto temporary_error_free_ticket;
  1083. kfree(ticket);
  1084. kfree(response);
  1085. _leave(" = 0");
  1086. return 0;
  1087. protocol_error_free:
  1088. kfree(ticket);
  1089. protocol_error:
  1090. kfree(response);
  1091. key_put(server_key);
  1092. return -EPROTO;
  1093. temporary_error_free_ticket:
  1094. kfree(ticket);
  1095. temporary_error_free_resp:
  1096. kfree(response);
  1097. temporary_error:
  1098. /* Ignore the response packet if we got a temporary error such as
  1099. * ENOMEM. We just want to send the challenge again. Note that we
  1100. * also come out this way if the ticket decryption fails.
  1101. */
  1102. key_put(server_key);
  1103. return ret;
  1104. }
  1105. /*
  1106. * clear the connection security
  1107. */
  1108. static void rxkad_clear(struct rxrpc_connection *conn)
  1109. {
  1110. _enter("");
  1111. if (conn->rxkad.cipher)
  1112. crypto_free_sync_skcipher(conn->rxkad.cipher);
  1113. }
  1114. /*
  1115. * Initialise the rxkad security service.
  1116. */
  1117. static int rxkad_init(void)
  1118. {
  1119. struct crypto_sync_skcipher *tfm;
  1120. struct skcipher_request *req;
  1121. /* pin the cipher we need so that the crypto layer doesn't invoke
  1122. * keventd to go get it */
  1123. tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
  1124. if (IS_ERR(tfm))
  1125. return PTR_ERR(tfm);
  1126. req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
  1127. if (!req)
  1128. goto nomem_tfm;
  1129. rxkad_ci_req = req;
  1130. rxkad_ci = tfm;
  1131. return 0;
  1132. nomem_tfm:
  1133. crypto_free_sync_skcipher(tfm);
  1134. return -ENOMEM;
  1135. }
  1136. /*
  1137. * Clean up the rxkad security service.
  1138. */
  1139. static void rxkad_exit(void)
  1140. {
  1141. crypto_free_sync_skcipher(rxkad_ci);
  1142. skcipher_request_free(rxkad_ci_req);
  1143. }
  1144. /*
  1145. * RxRPC Kerberos-based security
  1146. */
  1147. const struct rxrpc_security rxkad = {
  1148. .name = "rxkad",
  1149. .security_index = RXRPC_SECURITY_RXKAD,
  1150. .no_key_abort = RXKADUNKNOWNKEY,
  1151. .init = rxkad_init,
  1152. .exit = rxkad_exit,
  1153. .preparse_server_key = rxkad_preparse_server_key,
  1154. .free_preparse_server_key = rxkad_free_preparse_server_key,
  1155. .destroy_server_key = rxkad_destroy_server_key,
  1156. .init_connection_security = rxkad_init_connection_security,
  1157. .alloc_txbuf = rxkad_alloc_txbuf,
  1158. .secure_packet = rxkad_secure_packet,
  1159. .verify_packet = rxkad_verify_packet,
  1160. .free_call_crypto = rxkad_free_call_crypto,
  1161. .issue_challenge = rxkad_issue_challenge,
  1162. .validate_challenge = rxkad_validate_challenge,
  1163. .sendmsg_respond_to_challenge = rxkad_sendmsg_respond_to_challenge,
  1164. .respond_to_challenge = rxkad_respond_to_challenge,
  1165. .verify_response = rxkad_verify_response,
  1166. .clear = rxkad_clear,
  1167. };